PCWorks: Java 2 Platform Privilege Escalation Vulnerability

Tue, 01 May 2007 06:08:07 -0700 

Java 2 Platform Privilege Escalation Vulnerability

Secunia Advisory: SA25069       
Release Date:   2007-05-01

Critical:       
Moderately critical
Impact: Security Bypass
Where:  From remote
Solution Status: Vendor Patch

Software: Sun Java Enterprise System 5.x
Sun Java JDK 1.5.x
Sun Java JRE 1.4.x
Sun Java JRE 1.5.x / 5.x
Sun Java SDK 1.4.x

Description:
Sun has acknowledged a vulnerability in the Java Web Start of the Java 2 Platform, which can be exploited by malicious people to bypass certain security restrictions.
The vulnerability is caused due to an unspecified error within the use of system classes. This can e.g. be exploited to read and write to local files via malicious Java Web Start Applications.
The vulnerability is reported in Java Web Start in JDK and JRE 5.0 Update 10 and Java Web Start in SDK and JRE 1.4.2_13 and earlier for Windows, Solaris and Linux.
Secunia has constructed the Secunia Software Inspector, which you can use to check if your system is vulnerable: 
http://secunia.com/software_inspector/

Solution:
Update to Java Web Start in JDK and JRE 5.0 Update 11 or later, or Java Web Start in SDK and JRE 1.4.2_14 or later. 

-- J2SE 5.0 --
http://java.sun.com/j2se/1.5.0/download.jsp

-- J2SE 5.0 Update 11 for Solaris --

J2SE 5.0: update 11 (as delivered in patch 118666-11 or later)
J2SE 5.0: update 11 (as delivered in patch 118667-11 or later (64bit))
J2SE 5.0_x86: update 11 (as delivered in patch 118668-11 or later)
J2SE 5.0_x86: update 11 (as delivered in patch 118669-11 or later (64bit))

--- J2SE 1.4.2 --
http://java.sun.com/j2se/1.4.2/download.html

Note that vulnerable versions should be removed from the system.

Provided and/or discovered by:
The vendor credits the Fujitsu security team.

Original Advisory:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102881-1
============= PCWorks Mailing List =================
Don't see your post? Check our posting guidelines &
make sure you've followed proper posting procedures,
http://pcworkers.com/rules.htm
Contact list owner <[EMAIL PROTECTED]>
Unsubscribing and other changes: http://pcworkers.com
=====================================================

Reply via email to